check permission when displaying part views; restrict access to person work items

browser/compound/view_macros.pt

@@ -3,7 +3,9 @@
 
 <metal:data define-macro="standard">
   <tal:part repeat="item item/getParts">
+    <tal:check condition="item/checkPermissions">
       <metal:part use-macro="item/macro" />
+    </tal:check>
   </tal:part>
 </metal:data>
 

organize/work/browser.py

@@ -50,7 +50,7 @@ from loops.organize.tracking.browser import BaseTrackView
 from loops.organize.tracking.report import TrackDetails
 from loops.organize.work.base import WorkItem
 from loops.security.common import canAccessObject, canListObject, canWriteObject
-from loops.security.common import checkPermission
+from loops.security.common import canAccessRestricted, checkPermission
 from loops import util
 from loops.util import _
 
@@ -322,6 +322,9 @@ class PersonWorkItems(BaseWorkItemsView, ConceptView):
 
     columns = set(['Task', 'Title', 'Day', 'Start', 'End', 'Duration', 'Info'])
 
+    def checkPermissions(self):
+        return canAccessRestricted(self.context)
+
     def getCriteria(self):
         return self.baseCriteria
 

security/common.py

@@ -74,6 +74,9 @@ def canListObject(obj, noCheck=False):
         return True
     return canAccess(obj, 'title')
 
+def canAccessRestricted(obj):
+    return checkPermission('loops.ViewRestricted', obj)
+
 def canWriteObject(obj):
     return canWrite(obj, 'title') or canAssignAsParent(obj)